Explanation:
Service Control Policies (SCPs) are the correct tool for this requirement.
Deny effect for EC2 actions and applying it to the member accounts, the management account ensures that even the root users in those accounts cannot perform those actions.Option A is incorrect because IAM policies do not apply to the root user. Option C is for auditing/compliance, and Option D is for vulnerability scanning, neither can prevent root actions directly.
Ultimate access to all questions.
No comments yet.
Question 46.
A company has several member accounts that are in an organization in AWS Organizations. The company recently discovered that administrators have been using account root user credentials. The company must prevent the administrators from using root user credentials to perform any actions on Amazon EC2 instances. What should a SysOps administrator do to meet this requirement?
A
Create an identity-based IAM policy in each member account to deny actions on EC2 instances by the root user.
B
In the organization's management account, create a service control policy (SCP) to deny actions on EC2 instances by the root user in all member accounts.
C
Use AWS Config to prevent any actions on EC2 instances by the root user.
D
Use Amazon Inspector in each member account to scan for root user logins and to prevent any actions on EC2 instances by the root user.
E
None
F
None